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Information Security 

Policy 



The Thabachweu Local Municipality's intentions for publishing policies and procedures is not to impose 
restrictions that are contrary to the Municipality's established culture of openness, trust and integrity. The 
Municipality is committed to protecting its employees, clients, and service providers from any illegal or 
damaging actions by individuals, either knowingly or unknowingly. 
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1. Overview 

The data stored on the Thabachweu Local Municipality's ICT infrastructure is an extremely valuable 
asset to deliver a service to their clients both internal and external. The increasing reliance on 
information technology for service delivery makes it necessary to govern the way these systems are 
developed, operated, used and maintained by an internal policy to ensure safety and security of this 
asset. The increasing need to transmit information across networks renders the data more vulnerable 
to accidental or deliberates unauthorised modification, disclosure, theft or data loss therefore the 
Municipality seeks to ensure that the confidentiality, integrity and availability of its information are 
maintained by implementing policies to minimise any potential risk. 

2. Purpose 

This Policy has been developed to protect all the data stored on the Municipality's ICT infrastructure 
(including workstations and laptops), to an adequate level from events which may jeopardise any 
service delivery function of the Municipality. These events will include accidents as well as behaviour 
deliberately designed to cause security breaches. The Policy applies to all employees of the 
Thabachweu Local Municipality, its business partners, service providers and contractors. 

3. Regulatory Compliance 


Municipal Finance Management Act 56 of 2003; Sec 95; General financial management functions of 
accounting officers.—The accounting officer of a municipal entity is responsible for managing the 
financial administration of the entity, and must for this purpose take all reasonable steps to ensure— 

(a) that the resources of the entity are used effectively, efficiently, economically and transparently; 

(b) that full and proper records of the financial affairs of the entity are kept; 

(c) that the entity has and maintains effective, efficient and transparent systems— 

(i) of financial and risk management and internal control; and 

(ii) of internal audit complying with and operating in accordance with any prescribed norms 
and standards; 

(d) that irregular and fruitless and wasteful expenditure and other losses are prevented; 

(e) that expenditure is in accordance with the operational policies of the entity; and 

(f) that disciplinary or, when appropriate, criminal proceedings, are instituted against any 
official of the entity who has allegedly committed an act of financial misconduct or an offence in 
terms of Chapter 15. 


Author: Sbusiso Langa Review: ICT Committee Approve: [Manager] 

File Name: ThabaPoIJnformation Security_vl.lpdf | Policy Page 4 





Thabachweu Local Municipality 


Author: Sbusiso Langa 
Review: ICT Committee 
Approved: [Manager] 
Date: 

Information Security Policy 
Version 1.1 


4. Scope 

It is the obligation of the Thabachweu Local Municipality to protect all their software, systems, services 

and information assets from internal or external threats, deliberate or accidental. 

It is the policy of the Municipality to ensure that: 

• The accuracy and completeness of information will safe guarded. 

• Information will be protected against any unauthorised access. 

• Confidentiality of information will be assured. 

• Integrity of information will be maintained. 

• Functional requirements for the availability of information and information systems will be met. 

• Legislative and Regulatory requirements will be met. 

• Information Security Training will be provided. 

• All breaches of information security, actual or suspected, will be reported and investigated. 

• The Municipality's Security Officer has direct responsibility for maintaining the policy and providing 
advice and guidance on its implementation. 

• All Managers are directly responsible for implementing and enforcing the ICT policies within their 
sub-sections. 

• It employees are directly responsible to review the policy regularly to ensure policy compliance. 

5. Objectives 

• To ensure all the employees of the Thabachweu Local Municipality, its business partners, service 
providers and contractors had been made aware of their responsibilities for ensuring information 
security. 

• To ensure all contractors and their employees have a proper awareness and concern for security of 
The Municipality information. 

• To provide a framework giving guidance for the establishment of standards procedures and 
computer facilities for implementing computer systems security. 

• To ensure that all staff is aware of their accountability and that they are aware that failure to 
comply with the Information Security Policy is a disciplinary offence which may include action up to 
and including summary dismissal. 

• This policy will be reviews and improved on a quarterly basis by the Municipality's Security Officer. 

5.1. Acceptable Use 

Acceptable use is defined as "used for the purpose of": 

• Research 

• Personal educational development 
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• Administration and management of The Municipality business 

• Development work and communication associated with the above 

• Consultancy work contracted to the Municipality 

• Reasonable use of computer facilities for personal correspondence, where not connected with any 
commercial activity, is at present regarded as acceptable. 

5.2. Security Management and responsibilities 

5.2.1. Data Owner 

The Municipality's Security Officer is the "data and information asset" owner of the Municipality 
and responsible for: 

• To ensure, in liaison with Municipality's CFO, the software, applications and system licenses used 
on the Municipality's ICT infrastructure is accurate, available on request and purchased according 
to financial regulations. 

• Preparing details of who can access what information, how and when, according to the particular 
classification of the information. 

• Ensuring that the system is maintained in an effective and controlled manner. 

• Ensuring that staff immediately reports any violations or misuse of the system. 

• Ensure application training and password control. 

5.2.2. Management 

It is the responsibility of managers to ensure the following, with respect to their staff: 

• All current and future staff should be instructed in their security responsibilities. 

• Staff using computer systems must be trained in their use 

• Staff must not be able to gain unauthorized access to any of the Municipality's IT systems which 
could compromise data integrity. 

• Managers should determine which individuals are given authority to access specific information 
systems. The level of access to specific systems should be on a job function need, irrespective of 
status. 

• Managers should implement procedures to minimize the Municipality's exposure to fraud, theft or 
disruption of its systems such as segregation of duties, dual control, and peer review or staff 
rotation in critical susceptible areas. 

• Current documentation must be maintained for all critical job functions to ensure continuity in the 
event of relevant staff being unavailable. 

• All staff should be aware of the confidentiality clauses in their employment contract. 
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• Managers must ensure that the relevant system managers are advised immediately about staff 
changes affecting computer access (e.g. job function changes leaving the Municipality) so that 
passwords may be withdrawn or deleted appropriately. 

• Managers must ensure that all contractors undertaking work for the Municipality have signed 
confidentiality (non-disclosure) undertakings. 

• Managers should ensure that all staff have access to and have read the Thabachweu Local 
Municipality's policies and procedures. 

5.2.3. Users 

• Each employee, contractor, temporary worker or learner ship is responsible for ensuring that no 
breaches of information security result from their actions. 

• Each employee, contractor, temporary worker or learner ship is responsible for reporting any 
breach, or suspected breach of security. 

5.2.4. Security Officer 

• Job descriptions for Security Officer will include specific reference to the security role and 
responsibility of the post. 

• The ICT systems within the Municipality should have at least one individual trained with the 
expertise to fully manage, support, maintain and administer the system. 

• The Security Officer will be responsible to the Municipal Manger to ensure a continued system 
security improvement process. 

• Ensure that only those persons who are authorized to have access are provided with only that 
capability. 

6. Risk Management 


To identify and counter possible threats to the Thabachweu local Municipality's information security 
and standards. An assessment of all risks will be made for each information system to ensure that they 
are secured appropriately and cost effectively. Information systems within the Municipality may face 
many risks which a Security Policy can reduce or eradicate: 

6.1. Business Continuity 

• The risks of disruption to day to day business are reduced by informing staff about contingency 
procedures, backup and safekeeping of records. 

6.2. Protection for Employees and Records 
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• The security policy will ensure better protection of confidential information from unauthorized 
staff, students or thieves etc. Well protected records are less likely to fall into the wrong hands or 
be misused. Standardized procedures also protect honest employees because they know what is 
expected of them, therefore protecting their integrity if a serious incident occurs. 

6.3. High Data Quality 

• Good security measures often function as preventative internal controls, they help eliminate 
mistakes. Error correction is often the most time consuming of all manual processes and reducing 
errors frees staff to concentrate on developments and improvements. 

6.4. Risk of Computer Crime 

• Following a strict security policy ensures that staff must endeavour to close the loopholes in 
working practices, which makes life more difficult for persons attempting to remove computer 
equipment. 

6.5. Risk from viruses 

• Viruses are one of the greatest threats to the Thabachweu Local Municipality's computer systems. 
PC viruses become easier to avoid with staff, contractors and temporary workers aware of the risks 
associated with unlicensed software or bringing data/software from outside the Municipality. Anti¬ 
virus measures reduce the risks of damage to the network. 

• Managers are responsible for ensuring that all staff are aware of and adhere to this Information 
Security Policy. Departmental managers are responsible for ensuring that all staff attends these 
awareness sessions. In order to maintain the Municipality's information security and integrity, 
department managers must view Information Security Training with the same gravity as Health and 
Safety training. 

6.6. Confidentiality Agreements 

• The Thabachweu Local Municipality will continue to adopt comprehensive policies and procedures 
to ensure the secure handling of personal information within all information environments such as 
complying with the relevant legislation. 

• Computer system users should sign an appropriate confidentiality (non-disclosure) undertaking. 
This should be part of the contract of employment for all staff members; however this applies 
particularly to staff with access to sensitive data or systems. 

• Before signing, each employee should have the conditions carefully explained by the Director or 
other such officer delegated by them. Contractors and third party users not already covered by an 
existing contract (containing the confidentiality undertaking) should be required to sign a 
Confidentiality Agreement prior employment/registration. 

Author: Sbusiso Langa Review: ICT Committee Approve: [Manager] 

File Name: ThabaPoIJnformation Security_vl.lpdf | Policy Page 8 





Thabachweu Local Municipality 


Author: Sbusiso Langa 
Review: ICT Committee 
Approved: [Manager] 
Date: 

Information Security Policy 
Version 1.1 


• These Confidentiality Agreements should be reviewed when there are changes to terms of 
contract, particularly when systems are upgraded or contracts are due to end. 

7. Business Continuity: Disaster Recovery Plans 

• The Municipality's Security Officer is the owner of the Disaster Recovery Plans will be held 
responsible for the Municipality's contingency plan, its on-going review and maintenance. This 
should be seen as part of the wider organizational plan. 

• The Municipality's Security Officer will be responsible for the technical aspects of all contingency 
plans and should provide advice on aspects of system data "catch up". The Security Officer will 
maintain a Disaster Recovery Plan to ensure that all critical systems can be restored if necessary. 

7.1. Effective planning 

• The Municipality acknowledges that some form of disaster may occur, despite precautions, and 
therefore seeks to contain the impact of such an event on its core business through tested disaster 
recovery plans. 

• The Municipality recognizes that IT systems are increasingly critical to its business and that the 
protracted loss of key systems /user areas could be highly damaging in operational terms. 

ICT Disaster Recovery plans for must be maintained, reviewed, improved and tested. During this 
process the focus must be but not limited to the following: 

• Identification of critical computer systems 

• Identification and prioritization of key users/user areas 

• Agreement with users to identify disaster scenarios and what levels of disaster recovery are 
required 

• Identification of areas of greatest vulnerability based on risk assessment 

• Mitigation of risks by developing resilience 

• Developing, documenting and testing disaster recovery plans identifying tasks, agreeing on 
responsibilities and defining priorities 

7.2. Planning the ICT framework 

• Disaster recovery plans will cater for different levels of incident including:- 

o Loss of a key of all keys providing access to ICT facilities 
o Loss of an ICT area or building 
o Partial or full loss of the network infrastructure 

o Partial or full loss of the server infrastructure including hardware, software or data 
o Partial or full loss of the server services infrastructure 
o Loss of ICT supporting staff 
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o Emergency procedures covering immediate actions to be taken in response to an incident 
o Fall-back procedures describing the actions to be taken to provide contingency devices 
defined in the disaster recovery plan. 

o Resumption procedures describing the actions to be taken to return to full normal service 
o Testing procedures describing how the disaster recovery plan will be tested 
o Evidence of regular and adequate testing of Disaster Recovery Plans 

8. Equipment and Software Registers 

8.1. Inventory 

• An inventory of all the Municipality's ICT hardware and software will be maintained. It is the 
responsibility of the Security Officer or their named representative to detail each item of computer 
related equipment and software purchased. This Section will keep a copy of the inventory and will 
periodically audit software that is installed. This policy will enable differences over time to be seen 
and then accounted for. 

8.2. Software Register 

• An up to date register of all proprietary software including maintenance periods, guarantees, 
versions and expiry dates will be maintained to ensure compliancy with developer, vendor and 
supplier license agreements. 

9. Access control to secure areas 

9.1. Physical security 

• All central processors, networked file servers and central network equipment will be located in 
secure areas with restricted access. 

• The Municipality's server room will be a highly secured area housing the computer systems. An 
entry restriction system will be incorporated to protect the room. 

• Local network equipment, file servers and network equipment will be located in secure areas and 
where appropriate within locked server cabinets. 

9.2. Entry controls 

• Unrestricted access to the central computer facilities will be confined to designated staff whose job 
function requires access to that particular area or equipment. Restricted access may be given to 
other staff where there is a specific job function need for such access. 


Author: Sbusiso Langa Review: ICT Committee Approve: [Manager] 

File Name: ThabaPoIJnformation Security_vl.lpdf | Policy Page 10 





Thabachweu Local Municipality 


Author: Sbusiso Langa 
Review: ICT Committee 
Approved: [Manager] 
Date: 

Information Security Policy 
Version 1.1 


• Authenticated representatives of third party support agencies will only be given access through 
specific authorization. All secure areas will have an entry log which staff and visitors must use. 
Regular reviews of who can access these secure areas should be undertaken. 

10. Security of Third Party Access 

10.1. Access Control 

• No external agency will be given access to any of the Municipality's networks unless that body has 
been formally authorized but the Security Officer to have access. All non-Municipal agencies or 
contractors will be required to sign security and confidentiality agreements with the Municipality 

• The Municipality will control all external agencies and contractors to access to its systems by 
enabling or disabling connections for each approved access requirement. 

• The Thabachweu Local Municipality will put in place adequate policies and procedures to ensure 
the protection of all information being sent to external systems. In doing so, it will make no 
assumptions as to the quality of security used by any third party but will request confirmation of 
levels of security maintained by those third parties. Where levels of security are found to be 
inadequate, alternative ways of sending data will be used. All third parties and any outsourced 
operations will be liable to the same level of confidentiality as Municipal employees. 

11. User Access Control 

11.1. Access to Systems 

• Staff, contractors and learners should only access systems for which they are authorized. It is a 
criminal offence to attempt to gain access to computer information and systems for which they 
have no authorization. 

• All contracts of employment, conditions of contract for contractors and student access agreements 
should have a non-disclosure clause, which means that in the event of accidental unauthorized 
access to information, the member of staff, contractor or learner is prevented from disclosing 
information which they had no right to obtain. 

11.2. Eligibility 

The following are eligible to register as users: 

• Any person holding a contract of employment with the Municipality; 

• Any person holding a contract position in the Municipality; 

• Any person recommended by the Municipal Manager or Mayor. 

• Contractors and service providers appointed by the Municipality to carry out specific functions for a 
defined period. 
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• With the exception of access to material intended for the general public, use of information 
systems and networks shall be restricted to registered users only. 

11.3. User Registration 

• Formal procedures must be used to control access to systems. An authorized manager must 
countersign each application for access. Access privileges will be modified/removed - as 
appropriate - when an individual changes jobs or leaves the Municipality's employment. 

• Each application for access should be countersigned by the Municipality's security officer. 

11.4. Password Management 

• A password is "Confidential authentication information composed of a string of characters" used to 
access computer systems. Passwords must be kept confidential. Passwords are the responsibility of 
individual users; they must not be used by anyone else even for a short period of time. The giving 
of an authorized password to someone unauthorized in order to gain access to an information 
system is a disciplinary offence. All system managers will ensure their systems enforce password 
changes at monthly or quarterly intervals. A 12 month history of passwords should be kept. 

• Passwords must be at least 6 characters in length. They should be a mix of upper and lowercase 
and use other characters such as # @ $ * etc. It is good practice to use 'screensaver' passwords in 
multiple occupancy offices, and essential in public areas. Passwords should be changed at least 
monthly or quarterly, new systems should force this. No staff should be given access to a live 
system unless properly trained and made aware of their security responsibilities. 

11.5. Employment termination 

When a member of staff leaves the employment of the Municipality, their email account record 
must be ended as part of the termination action carried out by HR. The Information Technology 
Bureau must run a monthly PERSAL report based on this information and ensure that all email 
accounts for members of staff no longer with the Municipality are terminated. Prior to an 
employee leaving, or to a change of duties, line managers should ensure that: 

• The employee is informed in writing that he/she continues to be bound by their signed 
confidentiality agreement. 

• Passwords are removed or changed to deny access 

• Relevant departments are informed of the termination or change, and, where appropriate, the 
name is removed from authority and access lists 

• Supervisors passwords allocated to the individual should be removed and consideration given to 
changing higher level passwords, to which they have access 

• Reception staff and others responsible for controlling access to appropriate premises, are informed 
of the termination, and are instructed not to admit in future without a visitors pass • where 
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appropriate, staff working out notice are assigned to non-sensitive tasks, or are appropriately 
monitored. 

11.6. Property return 

• Particular attention should be paid to the return of items which may allow future access. These 
include personal identification devices, access cards, keys, passes, manuals & documents. The 
timing of the above requirements will depend upon the reason for the termination, and the 
relationship with the employee. Where the termination is mutually amicable, the removal of such 
things as passwords and personal identification devices may be left to the last day of employment. 
Once an employee has left, it can be impossible to enforce security disciplines, even though the 
legal process. Many cases of unauthorized access into systems and premises can be traced back to 
information given out by former employees. 

• System managers will be required to delete or disable all identification codes and passwords 
relating to members of staff who leave the employment of the Municipality on their last working 
day. Prior to leaving, the employee's manager should ensure that all files of continuing interest to 
the business of the Municipality are transferred to another user before the member of staff leaves. 
It is good practice for an 'exit' interview to be held during which the manager notes all the systems 
to which the member of staff had access and informs the relevant system managers of the leaving 
date. Special care needs to be taken when access personnel data and commercially sensitive and 
financial data is involved. 

• Managers must ensure that staff leaving the Municipality's employment do not inappropriately 
wipe or delete information from hard disks. If the circumstances of leaving make this likely then 
access rights should be restricted to avoid damage to The Municipality information and equipment. 

• In certain circumstances where exiting staff retain a formal relationship with the Municipality after 
they leave they may be provided with access to an email account after they have left the 
employment of the Municipality for a limited time. 

• In certain circumstances to be evaluated on a case by case basis contractors may be provided with 
access to an email account after they have left the employment of the Municipality for a limited 
time. 

11.7. Intern programs 

• Learner ship email accounts are currently rendered inactive at the end of the period of learner ship. 

• Particular attention should be paid to the return, or disabling of items which may allow future 
access. These include personal identification devices, access cards, keys, passes, manuals & 
documents. 

11.8. Visitors and Contractors 
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• All visitors to the Municipality should have official identification issued by the Municipality and 
their arrival and departure times recorded. If temporary passwords need to be issued to allow 
access to confidential systems these need to be disabled when the visitor has left. 

• Visitors should not be afforded an opportunity to casually view computer screens or printed 
documents produced by any information system without authorization. All managers are 
responsible for informing The Information Technology Bureau when temporary staff leaves the 
employment of the Municipality. 

• There is a requirement for the Municipality's Security Officer to have a procedure in place for the 
secure control of contractors maintaining and supporting computing equipment and software. The 
contractor may be on site or working remotely via a communications link 

12. Information Asset Protection 

12.1. Data Backup 

• Data should be stored on the Municipality's Server infrastructure when and where possible to be 
included in the backup schedule. Should information be stored on a laptops or desktops local hard 
drive the "user" of that data then becomes responsible for the information backups. Data should 
be protected by clearly defined and controlled back-up procedures which will generate data for 
archiving and business contingency planning purposes. The Municipality's Security Officer and all 
other sub-section managers should produce a written backup request for the systems, services, 
data or any other information under their management. 

• All of-site storage facilities data should be accorded the same security as live data and should be 
held a secure off-site location. Archived data is information which is no longer in current use, but 
may be required in the future for legal or audit purposes. 

• Data recovery should be at an adequate level of service and recovery time in the event of an 
emergency and should be regularly tested. To ensure that, in an emergency, the back-up data is 
sufficient and accurate, it should be regularly tested. This can be done by automatically comparing 
it with the live data immediately after the backup is taken and by using the back-up data in regular 
tests of the contingency plan. 

• Recovery data should be used only with the formal permission of the Municipality's Security Officer 
or as defined in the documented contingency plan for the system. If live data is corrupted, any 
relevant software, hardware and communications facilities should be checked before using the 
back-up data. This aims to ensure that back-up data is not corrupted in addition to the live data. 

12.2. Equipment and Data Disposal 

• If a machine has ever been used to process confidential data, then any storage media should be 
disposed of only after reliable precautions to destroy the data have been taken. Procedures for 
disposal should be documented. 
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• Many software packages have routines built into them which write data to temporary files on the 
hard disk for their own purposes. Users are often unaware that this activity is taking place and may 
not realize that data which may be sensitive is being stored automatically on their hard disk. 
Although the software usually (but not always) deletes these files after they have served their 
purpose, hey could be restored and retrieved easily from the disk by using commonly available 
utility software. 

• Therefore, disposal of any equipment or data should only be arranged with the Municipality's 
Security Officer who will facilitate the process. 

13. Software and Information Protection 

13.1. Licensed software 

All users should ensure that they only use licensed copies of commercial software. It is a criminal 
offence to make/use unauthorized copies of commercial software and offenders are liable to 
disciplinary action. The loading and use of unlicensed software on the Municipality computing 
equipment is NOT allowed. The Municipality's Security Officer and Internal Audit should monitor the 
installation and use of software by means of regular software audits; any breaches of software 
copyright may result in personal litigation by the software author or distributor and may be the basis 
for disciplinary action under the Municipality Disciplinary Policy. 

13.2. Unauthorized Software 

• The Thabachweu Local Municipality will only permit authorized software to be installed on any of 
its ICT assets. 

• The ICT infrastructure owned by the Municipality may only be used within the "acceptable use" 
framework. The copying of leisure software on to equipment owned by the Municipality is strictly 
forbidden. 

13.3. Virus control 

• The Municipality seeks to minimize the risks of computer viruses or malicious code through 
education, good practice procedures and anti-virus software positioned in the most vulnerable 
areas. 

• Users should report any viruses detected on their machines or virus outbreaks in their sections 
immediately to the Municipality's Security Officer. 

• External data disks or memory sticks/keys must be scanned for viruses before data is accessed, 
copied or moved from the device. 

• Users must be made aware of the risks associated with viruses from the internet, e-mail and 
external storage devices. 
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13.4. Computer "lock" Policy 

• A computer policy must be enforced on all Inactive computers to "screen saver lock" after a 15 
minute period of inactivity. 

• In high risk areas such as cashiers, accounts the "screen saver lock" option must be set to lock after 
a 5 minute period of inactivity. 

• Users should "lock" their computers by pressing the "Alt+Ctrl+Del and then Lock this computer" 
when leaving them unattended. A valid username and password is required to "un-lock" the 
computer. 

14. Equipment Security 

14.1. Equipment Placement and protection 

• IT equipment must always be installed and placed in accordance with the manufacturer's 
specification. 

• Where appropriate, environmental controls will be installed, to protect central or key equipment. 
Such controls will trigger alarms and notifications if environmental problems occur. 

• Where equipment is placed in a secure area, only authorized entry will be permitted. 

• Smoking, drinking and eating will not be permitted in areas housing computer equipment. 

14.2. Power supplies 

• Where appropriate the Municipality's ICT equipment must be connected to either a UPS or backup 
power generator and not to the mains electricity supply of the facility. 

15. Network Security 

15.1. Creation of parallel networks 

• The Municipality aims to employ suitable measures to reduce risks of damage and corruption to its 
computer equipment and systems. 

• The use of any connection device to create a parallel network is strictly forbidden and should be 
reported to the Municipality's Security Officer. 

15.2. Portable & Hand-held Computing Equipment 

• Equipment, software or confidential information is not allowed to be taken off-site by staff without 
the required approval documentation. 
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• Laptop computers must have appropriate access protection, for example passwords and encryption 
and must not be left unattended in public places or in vehicles. 

• Computer equipment is vulnerable to theft, loss or unauthorized access. Always secure laptop and 
handheld equipment when leaving an office unattended. 

• When travelling, the high incidence of car theft makes it inadvisable to leave computer equipment 
in cars or to take them into vulnerable areas. 

• To preserve the integrity of data, frequent data transfers should be maintained between portable 
computers and the Municipality's server infrastructure for backup purposes. 

• Users of portable computing equipment are responsible for the security of the hardware and the 
information it holds at all times on or off the Municipality's property. 

• The equipment should only be used by the Municipality's staff to which it is issued under the 
guidance of the "acceptable use" policy. 

• Users of portable equipment must pay attention to the protection of personnel data and 
confidential data. The use of a "power on" passwords are mandatory for all portable computers 
and "drive lock passwords" on all portable computers holding sensitive or confidential information. 

• Passwords must be used on all files containing confidential information and the passwords must 
only be shared with management and fellow colleagues reviewing or updating the files. 

16. System Documentation 

• All systems should be adequately documented by the Security Officer and should be kept up to 
date so that it matches the state of the system at all times. In this context system documentation 
relates to the configuration, processes etc. of the Municipality systems and not material which 
would otherwise be in the public domain. 

• System documentation, including manuals, should be physically secured (for example, under lock 
and key) when not in use. An additional copy should be stored in a separate location which will 
remain secure, even if the computer system and all other copies are destroyed. 

• Distribution of system documentation should be formally authorized by the Security Officer. 

• System documentation may contain sensitive information, for example, descriptions of applications 
processes, authorization processes. 

17. Electronic Mail (Email) 

For more details around e-mail and security refer to the Thabachweu Local Municipality's approved 
policies and procedures. 

17.1. Policy Framework 

• The Municipality provides staff, contractors and learners with access to a variety of information 
technology systems and electronic communication media including Email for the purposes of 
conducting The Municipality business. 
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17.2. Drafting e-mails 

• Users are responsible for drafting all emails carefully, taking into account any form of 
discrimination, harassment, The Municipality representation, and defamation of Data Protection 
issues. 

• Staff Emails are a form of corporate communication and therefore should be drafted with the same 
care as letters. Before sending an email, proof read to make sure your message is understandable 
and appropriate. 

• Users should be careful when replying to emails previously sent to a group. 

17.3. Viruses and Attachments 

• Employees are responsible for virus checking any attachment received before opening. 

17.4. Information Confidentiality 

• Email is an insecure method of communication with content easily copied, forwarded or archived. 
Sensitive data should not be sent by this means. 

17.5. Intent to enforce and monitor 

• The Municipality reserves the right to carry out monitoring exercises on its systems, possibly 
without prior notice. Monitoring, via email blocking software may be used to block and read any 
email on the Municipality network at any time by the Municipality. 

• The Municipality is committed to ensuring that any monitoring is undertaken with reference to the 
privacy of the user and with regard to the applicable legislative requirements. 

17.6. Retention and Purging 

• Deletion of old emails must be managed by each individual user, keeping in mind storage levels, 
archival levels, contractual evidence and legal discovery issues. 

17.7. Junk mail 

• Email should not be sent to large numbers of people unless you are sure that it is directly relevant 
to their job. Sending unsolicited mail to many users ('spamming') is wasteful of user time and can 
disrupt the service, via performance delays, for other users. 

17.8. Very large files 
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• Sending of large files should be avoided where possible. The use of appropriately licensed 
compression software (e.g. *.zip files) is advised. Extremely large files should be sent by means 
other than email. 

18. Municipal Information 

18.1. Offices 

• All Staff, Contractors, Learner ships, Financial, And Official Records should be stored in a secure 
area and not left in an unattended, unlocked room. They should only be retained for the minimum 
length of time that they are absolutely required. 

18.2. Transportation 

• When required to transport any data or information, the individual undertaking the transport is 
responsible for ensuring the safety and security of the data or information. This data or information 
should not be left unattended at any time and should be stored in a concealed area. 

18.3. Responsibility 

• All Municipal staff that use, or come into contact with confidential records are individually 
responsible for their safekeeping. Employees should be aware of their contractual and legal 
confidentiality obligations. 

19. Working from home 


• Employees working from home or taking information home to work on regardless if it is the 
equipment belongs to the municipality or privately owned should be informed about the security 
requirements such as anti-virus and security patch management. 

19.1. Protecting data files 

• Confidential electronic files used at or worked on from home or on personal equipment must be 
protected with a password. 

19.2. Use of Privately owned Computers at Home 

• General Internet access carries with it a security risk of downloading viruses or programs that can 
look around a network and infiltrate password security systems. This information can then be sent 
back to the originator of the program in order to allow them unauthorized access to our systems. 

• Always use care when transferring data between your personal and the Municipality equipment. 
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• Before working on information or data of the Municipality, privately owned equipment should be 
compliant with the following: 

o Have an anti-virus application installed and enabled. 

o Virus and security signatures must be updated and not be older than 30 days. 

o Must be current with all the security updates of the installed software. 

19.3. Transportation of information 

• You should take reasonable care to minimize that risk of theft or damage; IT equipment must be 
transported in a clean, secure environment. During transfer of equipment between home and work 
you should keep the equipment out of sight and not leave it unattended at any time. Computer 
equipment or manual data must not be left in your car overnight. 

19.4. Storage of information 

• You should take all reasonable steps to minimize the visibility of computer equipment from outside 
the home, and to secure windows and doors when the home is unoccupied. 

• You should secure confidential data or reports that you are not actively using in the most secure 
area of your home. 

20. Anti-virus Security 

A computer virus is a damaging piece of software that can be transferred between programs or 
between computers without the knowledge of the user. When the virus software is activated (by 
incorporated instructions, e.g. on a particular date), it performs a range of actions such as 
displaying a message, corrupting software, files and data to make them unusable, and deleting files 
and/or data. While many of the viruses produced are benign and cause no real damage to the 
infected system, they always constitute a breach of security. Even daily anti-virus updates are not 
always enough to ensure safety from all possible threats. 

20.1. Anti -virus Prevention 

• Whilst precautions are taken at the network level to minimize the spread and impact of worms and 
viruses, it is not possible to make the process totally effective. Protection from viruses and worms is 
not a process that can be left entirely to system administrators, security officers, and anti-virus 
software. The best efforts of administrators and security experts are not sufficient - all computer 
users must also play their part by taking simple precautions like those described below. 

20.2. Avoid Unauthorized Software 
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• Programs like games, joke programs, cute screensavers, and unauthorized utility programs and so 
on can sometimes be the source of difficulties even if they are genuinely non-malicious. That is why 
it is forbidden for to install them. If such programs are claimed to be some form of antivirus or anti- 
Trojan2 utility, there is a high risk that they are actually in some way malicious! 

20.3. Attachments 

• It makes sense to be cautious about email attachments from people you don't know. However, if 
attachments are sent to you by someone you do know; don't assume they must be OK because you 
trust the sender. Worms generally spread by sending themselves without the knowledge of the 
person from whose account they spread. If you do not know the sender or are not expecting any 
messages from the sender about that topic, it is worth checking with the sender that they intended 
to send a message, and if so, whether they intended to include any attachment. If you were 
expecting an attachment from them, this may not apply. However, one recent virus sends out an 
email telling you that a "safe" attachment is on the way, and then sends out mail with a copy of 
itself as an attachment. 

• Bear in mind that even legitimate, expected attachments can be virus infected: worms and viruses 
are related, but cause slightly different problems. 

• A worm is a self-replicating virus that does not alter files but resides in active memory and 
duplicates itself. Worms use parts of an operating system that are automatic and usually invisible 
to the user. It is common for worms to be noticed only when their uncontrolled replication 
consumes system resources, slowing or halting other tasks. 

• In computers, a Trojan horse is a program in which malicious or harmful code is contained inside 
apparently harmless programming or data in such a way that it can get control and do its chosen 
form of damage. In one celebrated case, a Trojan horse was a program that was supposed to find 
and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer 
virus. 

• Regard anything that meets the following criteria with particular suspicion: 

o If they come from someone you don't know, who has no legitimate reason to send them to 
you. 

o If an attachment arrives with an empty message. 

o If there is some text in the message, but it doesn't mention the attachment. 

o If there is a message, but it doesn't seem to make sense. 

o If there is a message, but it seems uncharacteristic of the sender (either in its content or in 
the way it's expressed). 

o If it concerns unusual material like pornographic web-sites, erotic pictures and so on. 

• If the message doesn't include any personal references at all, (for instance a short message that just 
says something like "You must take a look at this", or "I'm sending you this because I need your 
advice" or "I love you!"). 

• If the attachment has a filename extension that indicates a program file (such as those listed 
below). 
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• If it has a filename with a "double extension", like FILENAME.JPG.vbs or FILENAME.TXT.scr, that 
may be extremely suspicious. As far as Windows is concerned, it's the last part of the name that 
counts, so check that to find out whether it's a program like those listed, masquerading as a data 
file, such as a text file or JPEG (graphics) file. 

• In all the above instances, it is recommended that you check with the sender that they knowingly 
sent the mail/attachment in question. 

• If Word or Excel warn you that a document you're in the process of opening contains macros, 
regard the document with particular suspicion unless you are expecting the document and you 
know that it's supposed to contain macros. Even then, don't enable macros if you don't need to. It 
may be worth checking with the person who sent it to you that it is supposed to contain macros. 

• If you receive an encrypted or password protected attachment, it will normally be legitimate mail 
from someone you know, sent intentionally (though the sender is unlikely to know in the event that 
they have a virus). However, that doesn't necessarily mean that it isn't virus-infected. If it started 
out infected, encryption won't fix it. Furthermore, encrypted attachments can't usually be scanned 
for viruses in transit: the onus is on the recipient to be sure the decrypted file is checked before it's 
opened. This goes not only for heavyweight encryption packages, but also for files compressed and 
encrypted with PKZip or WinZip. 

21. Corrective actions for non-policy compliance 

• Failure to comply with the guidelines stipulated in the Municipality's policies will result in the 
following corrective or disciplinary procedures. 

• The decisive action that will be taken against the employee is dependent on the severity level and 
the level of the security risk. 

• Warning from Management 

o The employee receives a warning from their manager that they were in violation of policy. 

• Written Warning in Personnel File 

o The employee is reprimanded, and official notice is put in their personnel file. This may 
have negative consequences during future performance reviews or promotion 
considerations. 

• Revoking Privileges 

o Access to certain resources, such as internet or email, can be revoked for a limited period 
providing that this action does not have a negative impact on the employee's job functions. 

• Training 

o Adequate training to create awareness and guidance on policy compliance. 

• Disciplinary action will be determined in compliance to Schedule 8 of the Labour Relations Act 66 of 
1995 or other related Public Service Regulations. 

22. Glossary and Abbreviations 


Please refer to the Thabachweu Glossary and abbreviations guide. 
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